According to a report published Monday by the Government Accountability Office, the Department of Defense lacks clear rules on who would be in charge during a national-level cyberattack. It could be the US Northern Command, which coordinates DoD homeland defense efforts with civil authorities, or it could be US Cyber Command, which handles the government's cyber security forces -- but nobody's quite sure who should handle what, or when.
For example, if hackers went after the national power grid, rules are in place that the DoD would work to support the Department of Homeland Security -- that much is clear. However, there aren't any actionable rules for how exactly the two would work together. "This absence has caused uncertainty about who in DoD would respond to support civil authorities in a cyber incident, and how they would coordinate and conduct such a response," the GAO report reads. "The designation of cyber roles and responsibilities in DoD guidance is inconsistent."
Specifically, the GAO found that the role of "dual-status commander" caused a host of problems. This mantle is typically donned in order to streamline the military's command structure during national emergencies. However, as the recent "Cyber Guard 15" training exercise showed, this role doesn't accurately translate from conventional warfare scenarios. During Cyber Guard, the dual-status commander wasn't given authority over Cyber Command -- as the current rules dictate -- which prevented the him from effectively deploying them.
While this isn't a pressing issue, the GAO has recommended that the Pentagon get these rules straightened out sooner than later. Of course, the wheels of bureaucracy turn slowly. Though the DoD has acknowledged these shortcomings, there's no word on when it will implement changes to its rules.